"Best Practice" is not a constant, you know. Reality and feedbacks from the trenches sometimes conspire to alter "best practices" every now and then. Some auditors forget this salient truth. 5 is not practical, for various reasons, one of which is the "fast user switch" bug of WinXP.
Anyways, regardless of what the auditors say, you'd do better by spending a day with the "Account Lockout and Management Tools" document, and playing with the supplied tools. These tools and document came about through inputs from a lot of people that went through the same thing you are going through now. And I can tell you the recommendations and tools are really effective.
Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Raymond McClinnis Sent: Wed 10/15/2003 2:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Lock-outs after only one attempt... One of these days I’ll learn how to proof read for coherency J… I just read what I sent, doesn’t make much sense.
Windows 2K Domain, Majority of Clients is Windows 2K. Attempts is set <=5,(for obvious reasons I don’t want to say the exact #)
Joe: I thought best practices were to have it set to less than 5? At least that’s what I remember hearing from our auditors… I’ll give anything a try to keep this from happening though, just takes it happening to your boss one time before you have to dedicate a whole day on attempting to fix it. J
Next time I hear it reported I’ll use EventCombMT to get more forensic data. I know I did it once before, and was discouraged quickly by my findings.
I’ll post more when I get a call (probably later today) Thanks for all the suggestions so far!
Thanks,
Raymond
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
they are very probably XP clients. They very likely have "fast user switch" option enabled on the XP. and Raymond has probably set his lockout threshold somewhere < = 5. I wager that this is the problem, barring the obvious multiple wrong password of course.
I know there is a Q article regarding this somewhere on support.microsoft.com. Good luck
Sincerely,
From: Joe How low is your policy set? If it is 10 or less reconsider. Think about what the lockout policy is in place to avoid and what a good logical number is to use to accomplish that goal. Are your machines all W2K+ or what are they? Do you have logging enabled on your DC's and have you chased the event log entries to see how the requests are coming in (i.e. very quickly or spread out or ?). joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Tuesday, October 14, 2003 7:40 PM To: [EMAIL PROTECTED] Hello All, We recently implemented the Require Strong Passwords on out WIN2K and it seems that some users get locked out after entering an incorrect password only one time. (I assure you that I allow more than one mistake; I too am human) This was happening before the change, but I am seeing it more now (harder password's = more mistakes) The only thing I can think of is that we have multiple remote DCs in a bridged WAN environment, so when someone logs on, it hits a couple of them at the same time and they all count it as an invalid try. That's my theory anyways, I'm open for suggestions. Thanks, Raymond List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ |
- [ActiveDir] Lock-outs after only one attempt... Raymond McClinnis
- RE: [ActiveDir] Lock-outs after only one attempt... Joe
- RE: [ActiveDir] Lock-outs after only one attempt... John Reijnders
- RE: [ActiveDir] Lock-outs after only one attempt... Raymond McClinnis
- RE: [ActiveDir] Lock-outs after only one attempt... Raymond McClinnis